Microsoft Privacy Case Has Cloud Industry on Edge

Aug 26, 2014

Who owns data stored in the cloud? Where are the legal boundaries? These are issues at the core of a privacy case in which Microsoft has been ordered by a U.S. federal court to turn over a customer’s e-mail that is stored on servers in Ireland in compliance with a U.S. government-issued search warrant. Microsoft is fighting the ruling, contending that the e-mails belong to the customer. As for the search warrant, Microsoft says there is well-established case law that it cannot reach beyond U.S. shores. U.S. District Judge Loretta Preska ruled the location of the e-mail was irrelevant because Microsoft controls it from the United States.

Many see this as the latest hit to the cloud computing industry and, particularly, to U.S. cloud providers still dealing with trust issues because of the National Security Agency surveillance scandal. But that’s just one piece – this case could also have far-reaching ramifications for international law. In an interview with InformationWeek,Morgan Reed, executive director of the Association for Competitive Technology, pointed out that if the U.S. government can force Microsoft to turn over data in an Irish data center, European governments could decide they can extract data from U.S. citizens anywhere in the world.

Elad Yoran, CEO of cloud security vendor Vaultive, told InformationWeek that businesses should not resist the cloud but should ensure that they control their data. He stressed the importance of encrypting data before moving it to the cloud and holding on to the encryption key.

Kate Westmoreland, a lawyer and fellow at Stanford Law School, concurred: “It means power is back with the user. There are limitations on being able to compel users to give up those keys.”

Preska’s verdict wasn’t immediately applied because she unexpectedly issued a bench ruling that stayed her decision so Microsoft could appeal.

"Either way this decision unfolds in the end, the important thing is to have some business certainty," Westmoreland said.

ARMA International has long encouraged organizations to be proactive in negotiating contracts for cloud storage. From the records management perspective, outsourcing storage to the cloud shares some key issues with other forms of information outsourcing. While an organization can outsource storage of information, it can’t outsource the responsibility and accountability for determining how the information will be managed and protected.

Many of the challenges and considerations for cloud-based storage are provided in ARMA International’s Guideline for Outsourcing Records Storage to the Cloud.